New
#1
Win 7 Antivirus 2012 ~ Virus Removal Help
Hello,
I've had this virus since the 30th. when it started it immediately produced all the pop-up warnings as described by everybody else.
I used Task Manager to escape touching the program (Win 7 Antivirus 2012) ..
then I rebooted in Safe-Mode wNetworking and downloaded Malwarebytes and ran it.
It found several things ..
This shows I was using the free version, when I discovered the virus was continuing to come back I opted to do the Trial Version ... then ran just quick scan which showed RIGHT THEN I was okay.Malwarebytes Anti-Malware 1.60.0.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download
Database version: v2011.12.31.02
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7601.17514
Jennifer Burnette :: JENNIFERBURNETT [administrator]
Fri, 12/30/2011 11:30:29 PM
mbam-log-2011-12-30 (23-30-29).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P <----No Clue what that means
Objects scanned: 320495
Time elapsed: 39 minute(s), 3 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCR\.exe\shell\open\command| (Hijack.ExeFile)
-> Data: "C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "%1" %* -> Quarantined and deleted successfully.
Registry Data Items Detected: 4
HKCR\.exe| (Hijacked.exeFile) -> Bad: (pu4) Good: (exefile) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\Jennifer Burnette\AppData\Local\dwx.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Jennifer Burnette\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\f9046cc-5662e8c5 (Trojan.FakeAV) -> Quarantined and deleted successfully.
(end)
Came back, it's like everytime I re-boot it's re-inventing itself.
It almost looks like it's tied to my Firefox, I can see where Malwarebytes is removing it and although right now, no pop-ups, I'm not trusting it especially since finding the following in my Control Panel - Notifications Area ...
Everytime I run Malwarebytes it adds to the total number of items removed but it's the same items, only changing maybe and .exe name.
I found Corinne's instruction for removal at another post .. Downloaded the TDSSkill and RKill, already had Malwarebytes so didn't have to do that.
I ran TDSSkill, no rootkits found ... Ran RKill, said process's were deleted while running ... Ran Malwarebytes again via Quick Scan and showed 0 ... thought great this may have got rid of it.
I rebooted the computer and decided to look at the Control Panel items again, imagine my surprise when I saw I now have a NEW file there for Win 7 Antivirus 2012. The OLD one was gud.exe and now this new one dwx.exe.
I've tried checking in Task Manager process's and start up ... NOTHING !!
I've also tried checking msconfig.exe, startup and services ... NOTHING !!
I totally have NO CLUE where or what to do next.
Is there ANYBODY that can help me .. I'd appreciate it so very much.
Thank you in advance for even reading this.
Jenn